US government warns of Heartbleed bug danger

Homeland security sign The US government suggests users should change the passwords of patched online services

Related Stories

The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.

The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.

However, an official added that there had not been any reported attacks or malicious incidents.

The alert comes as several makers of net hardware and software revealed some of their products had been compromised.

'A mistake'

A German computer programmer has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald.

Robin Seggelman, a 31 year old from Oelde - 120 miles (193km) north of Frankfurt - is reported to have made the mistake while trying to improve the OpenSSL cryptographic library on 31 December 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media.

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data.

The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users.

Browser alerts

Experts say home kit is less at risk.

There had been reports that domestic home networking equipment - such as wi-fi routers - might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.

However, a security researcher at the University of Cambridge's Computer Laboratory said he thought this would be a relatively rare occurrence.

"You would have to be a semi-professional to have this sort of equipment at home," Dr Richard Clayton told the BBC.

Heartbleed logo News of the bug was made public on Monday

"It's unusual to find secure connections to a home router because you'd have to have a certificate in the device.

"If that certificate were self-signed it would generate browser warnings. Alternatively, you could be regularly updated but that would cost money."

UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL.

Password resets

News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years.

This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.

Dangerous or not?

Internet security firm Cloudfare has cast doubt over how great the danger posed by Heartbleed is, saying it has been unable to exploit the flaw to obtain the secret SSL keys that would put people's data at risk.

The US company was one of those given early warning of the vulnerability before Monday's public announcement, and has had 12 days to carry out tests.

"Note that is not the same as saying it is impossible to use Heartbleed to get private keys," blogged software engineering leader Nick Sullivan.

"We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard."

The news prompted news site The Verge to lead with the headline: "Heartbleed security flaw may not be as dangerous as thought"

But Codenomicon - the security firm that sounded the first alert - stands by its warning.

"We know what we found," chief executive David Chartier told the BBC.

"Access to memory is a very serious vulnerability and it's great that people are taking quick action to upgrade and remediate the problem.

"If you search on the internet you will find many people have replicated the problem."

The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted.

The website set up to publicise the danger noted that it was possible to carry out such an attack "without leaving a trace", making it impossible to know for sure if criminals or cyberspies had taken advantage of it.

Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some - but not all - companies suggesting users should reset their passwords.

Risk to business

Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector.

Dr Clayton explained how such a hacker could take advantage of the problem.

"If you managed to log into a router then the simplest thing you could do would be to change the DNS [domain name system] settings in there," he said.

"Then you could arrange that everything on the internet resolves correctly apart from, for example, Barclays.com, which you could set to resolve to a malicious site that asks for the visitors' details."

Junos Pulse Junos Pulse - an app used to allow remote access to networks - is one of the compromised products

Prof Alan Woodward, a security expert at the University of Surrey, gave another scenario in which hackers could take advantage of flaws in virtual private network software used to let workers log into corporate networks when not in the office.

'Closely monitor'

"The worst case would be that they could reach in and see the keys," he said.

"Hence all the traffic going to and from remote workers that people thought was secure could potentially be decrypted.

"But you would be working through quite a few layers of things to get to that because the way OpenSSL is used is quite complicated."

The US government has said that it was working with third-party organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems".

Meanwhile, officials suggested members of the public should "closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages".

Rory Cellan-Jones looks at ways to manage strong online passwords

The UK has given similar advice.

"People should take advice on changing passwords from the websites they use," said a Cabinet Office spokesman.

"Most websites have corrected the bug and are best placed to advise what action, if any, people need to take."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Getty Images)

How movie dinosaurs lied to us

What’s wrong with cinema’s monster lizards Read more...

Programmes

  • Traffic lightsClick Watch

    From hacking cars to traffic lights - behind the scenes at a cyber-security conference

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.